b'      INFORMATION SECURITY AND\n        PRIVACY CONTROLS OVER\nTHE AIRMEN MEDICAL SUPPORT SYSTEMS\n\n        Federal Aviation Administration\n\n\n         Report Number: FI-2010-069\n         Date Issued: June 18, 2010\n\x0c           U.S. Department of\n                                                                       Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Report on Information Security and                                               Date:    June 18, 2010\n           Privacy Controls over the Airmen Medical Support\n           Systems\n           Federal Aviation Administration\n           Report Number FI-2010-069\n\n  From:    Rebecca C. Leng                                                                      Reply to\n                                                                                                Attn. of:    JA\xe2\x80\x9320\n           Assistant Inspector General for Financial and\n            Information Technology Audits\n\n    To:    Associate Administrator for Aviation Safety, FAA\n\n\n           This report presents the results of our review of the information security and\n           privacy controls over the Federal Aviation Administration\xe2\x80\x99s (FAA) Airmen\n           Medical Support Systems (MSS). FAA requires airmen to hold a medical\n           certification of their medical and mental fitness to operate aircraft. 1 MSS\n           currently stores more than 18 million medical records supporting the medical\n           assessment of over three (3) million airmen. To ensure aviation safety and protect\n           the privacy of airmen, it is critical that this medical information be secure. Also,\n           coordination with other Federal agencies may improve aviation safety by\n           identifying airmen who are receiving disability benefits and may not have\n           disclosed potentially disqualifying medical conditions.\n\n           This review was requested by the Chairmen of the House Committee on\n           Transportation and Infrastructure and its Subcommittee on Aviation. The\n           objectives of our audit were to (1) determine if airmen\xe2\x80\x99s personally identifiable\n           information (PII) is properly secured from unauthorized use or access, and\n           (2) assess FAA\xe2\x80\x99s progress in establishing mechanisms to identify airmen holding\n           current medical certificates while receiving disability pay.\n\n           To conduct our work, we interviewed officials from FAA\xe2\x80\x99s Civil Aerospace\n           Medical Institute located in Oklahoma City, Oklahoma; FAA\xe2\x80\x99s Headquarters in\n           1\n               A medical certificate must be held when exercising any of the following privileges: airline transport pilot,\n               commercial pilot, private pilot, recreational pilot, flight instructor, flight engineer, flight navigator, or student pilot.\n               Except for a person employed by FAA, a branch of the military services or the Coast Guard, a person acting as an air\n               traffic control tower operator must also hold a medical certificate.\n\x0c                                                                                   2\n\n\nWashington, D.C.; as well as representatives from FAA\xe2\x80\x99s contractor and Aviation\nMedical Examiners\' (AME) private medical support staff at various locations. We\nalso spoke with officials from FAA\'s Office of Budget Policy Division. In\naddition, we performed a vulnerability assessment of the MSS network\ninfrastructure, servers, Web applications, databases, and data interfaces. We\nconducted this audit between March 2008 and January 2010 in accordance with\ngenerally accepted government auditing standards. A detailed description of the\nscope and methodology used on this audit can be found in exhibit A.\n\nRESULTS IN BRIEF\nThe names, addresses, Social Security numbers, medical data, and other PII of\nairmen are not properly secured to prevent unauthorized access and use. We\nfound serious security lapses in FAA\xe2\x80\x99s management of AMEs private medical\nsupport staff access to the system. For example, medical examiners\xe2\x80\x99 former staff\ncontinued to have access to MSS. At the same time, FAA has not fully\nimplemented security controls required by the Office of Management and Budget\n(OMB) and the Department to protect PII, such as multi-factor user authentication,\naudit trail reports to detect inappropriate access, and data encryption. In addition,\nFAA has not ensured secure configuration of MSS computers in accordance with\nthe Department\xe2\x80\x99s baseline standards to reduce the risk of unauthorized access and\ncorruption. Specifically, we found vulnerabilities on MSS computers, such as\nconfiguration allowing intruders to install malicious codes on FAA user\ncomputers. Inadequate contingency planning also threatens the service continuity\nof MSS. Combined, these weaknesses make airmen\xe2\x80\x99s PII vulnerable to\nunauthorized access and use and potential falsification of medical certificates that\ncould lead to unfit airmen being medically certified to fly. During the course of\nour review, FAA took immediate action to enhance security protection by working\nwith doctors to remove thousands of separated medical staff\'s access to MSS and\nretracting millions of PII records from the contractor\xe2\x80\x99s site. However, additional\nimprovements are needed to adequately secure PII data from unauthorized use.\n\nFAA has made limited progress in identifying airmen who receive disability\nbenefits while holding medical certificates. While FAA has a draft matching\nagreement with the Social Security Administration (SSA) to reconcile data in MSS\nand SSA\xe2\x80\x99s disability benefits system, it has yet to establish a target date for\ncompleting the interface. Further, FAA has yet to coordinate with other benefits\nproviders, such as the Department of Veterans Affairs and the Department of\nLabor. FAA continues to rely on airmen to disclose potentially disqualifying\nconditions when applying for medical certificates. FAA recently announced a\nonetime, limited opportunity for airmen to reveal previously undisclosed\ndepression and use of antidepressant medications without being subject to FAA\n\x0c                                                                                                              3\n\n\nenforcement action. 2 This step, however, does not take the place of a\ncomprehensive approach to undisclosed medical conditions. Accordingly, FAA\nneeds to expedite computer matching agreements with disability benefits\nproviders, implement the checks under those agreements, and take appropriate\nenforcement action where falsifications are found.\n\nTo assist FAA, we are making a series of recommendations to strengthen the\nconfidentiality, integrity, and availability of airmen PII and to ensure unqualified\nairmen do not receive a medical certification enabling them to fly.\n\nBACKGROUND\nMSS contains over 18 million medical records on more than 3 million airmen, of\nwhich over 465,000 have current medical certifications. 3 In addition to medical\ninformation, the system contains other sensitive personal information, such as\nname, address, date of birth, and Social Security number of airmen. MSS is\naccessible to about 9,000 users, 8,500 of whom are AME\xe2\x80\x93\xe2\x80\x93private physicians who\nfunction as FAA designees\xe2\x80\x94or their staff, who enter the medical data into the\nMSS Web site on the Internet. AMEs and their staff have access to all information\n(including medical data) stored in MSS on airmen examined in their offices. In\naddition, they can access the name, address, date of birth, and partial Social\nSecurity number on all airmen examined by other AMEs and stored in MSS.\nAlmost 300 AMEs reside in 89 foreign countries and conduct exams on airmen\nseeking to fly in the United States.\n\nIn 2007, the Inspector General testified before the House Committee on\nTransportation and Infrastructure that some airmen failed to disclose to FAA any\nmedically disqualifying information on their applications for medical certificates.\nFurther, some airmen held current medical certificates while simultaneously\nreceiving disability benefits for medically disabling conditions. 4 Our testimony\nsuggested that FAA work with the SSA and other disability benefits providers to\nexpeditiously develop and implement a strategy to check for and take appropriate\ncertificate regulatory enforcement action where falsifications are found, and to\nconsider revising its application for the medical certificate to require applicants to\nexplicitly identify whether they are receiving medical disability benefits.\n\n2\n    75 Fed. Reg. 17049 (April 5, 2010).\n3\n    FAA\xe2\x80\x99s Civil Aerospace Medical Institute in Oklahoma City processes medical certificate applications in MSS.\n4\n    Falsification of FAA Airman Medical Certificate Applications by Disability Recipients (CC-2007-063, July 17,\n    2007). OIG reports and testimony can be found on our Web page: www.oig.dot.gov.\n\x0c                                                                                                             4\n\n\n\nSENSITIVE AIRMAN MEDICAL RECORDS ARE NOT PROPERLY\nSECURED FROM UNAUTHORIZED USE\nDOT policy requires FAA to implement controls for removing medical record\naccess rights when they are no longer required, to ensure user access is derived\nfrom a role-based validation process and each user\xe2\x80\x99s level of access is\ncommensurate with a need to know, and to document all users who have access to\nsensitive data. 5 However, such controls have not been implemented in MSS. At\nthe same time, FAA has not implemented OMB guidance to secure PII in an\nautomated information system or to properly configure MSS production and\ndevelopment computers to reduce the risk of tampering.\n\nMedical Staff and Contractor Access Continued Despite A Need To\nKnow\nWe contacted six AME physicians and medical staff with user access to MSS and\nfound that, while all six were no longer employed with the AME, their MSS\naccess status remained active, giving them easy access into the system to obtain\nsensitive PII or tamper with MSS data\xe2\x80\x94including the potential to falsify medical\ncertifications. In addition, AMEs and their staff\xe2\x80\x94current and former\xe2\x80\x94can access\ninformation on airmen who are deceased or inactive that comprise as much as 86\npercent of airmen in the database (see table 1). While FAA uses such historical\nmedical data on airmen as a valuable research tool, it provided no justification for\nkeeping these records in the online database accessible by non-FAA personnel\nover the Internet.\n\nTable 1. Schedule of Airman Records\n\n                                             Medical Certifications                      Medical Records\n                                          Number             Percent               Number           Percent\n\nActive airmen                             465,493                 14%            5,145,075              28%\n\nInactive airmen                         2,813,373                 86%           13,336,748              72%\n\nTotal                                   3,278,866               100%            18,481,823             100%\n\n\nIn addition, FAA had been sending millions of airman medical records from the\nMSS database to its contractor\xe2\x80\x99s facilities, a practice that has been in place over\nthe past decade. FAA\xe2\x80\x99s contractor has been using this live data in its system\ntesting procedures, but FAA had not justified the contractor\xe2\x80\x99s need for using\nmillions of live records\xe2\x80\x94or considered the security implications of storing airman\n5\n    DOT Information Technology and Information Assurance Policy Number 2006-22 \xe2\x80\x93 October 11, 2006 (revision 1):\n    Implementation of DOT\xe2\x80\x99s Protection of Sensitive Personally Identifiable Information (SPII).\n\x0c                                                                                                                5\n\n\nPII at the contractor facility. After we requested documentation of support and\napproval of the data transference, FAA concluded there was no business need to\nmaintain the data at the contractor\xe2\x80\x99s site. Millions of PII records were purged\nfrom the contractor\xe2\x80\x99s site.\n\nThe control weaknesses we identified are largely the result of FAA\xe2\x80\x99s failure to\nprovide adequate oversight of the contract by communicating the DOT\nrequirements regarding access controls.        Upon learning of these control\nweaknesses, we notified FAA, which responded in June 2009 (see Appendix A),\nstating that it had begun implementing corrective actions, such as working with\ndoctors to remove access for separated medical staff. In addition, FAA purged\nmillions of PII records from the contractor\xe2\x80\x99s site. However, the lack of\ndocumentation about the application security features such as definitions of users\xe2\x80\x99\nability to access data and perform critical functions continues to weaken FAA\xe2\x80\x99s\nability to administer effective security.\n\nMSS Does Not Comply with Department Guidance/Policy on\nMeasures to Deter and Detect Unauthorized Access\nIn 2006, OMB reemphasized to agencies their responsibilities and corresponding\npolicy to appropriately safeguard PII, such as implementing secure authentication\nmethods for remote access to compensate for a lack of physical security controls. 6\nFollowing OMB\xe2\x80\x99s guidance, the Department required its operating components to\nencrypt PII data, use multifactor user authentication and DOT\xe2\x80\x99s Secure Remote\nAccess (SRA) portal for remote PII access 7, provide security and privacy\nawareness training for the AME users, and report abuses of access privileges. The\nDepartment issued their requirements in 2006; however, FAA has not fully\ncomplied with OMB and DOT requirements.\n\nData Encryption, Multifactor Authentication and Secure Remote Access\nDOT requires operating components to encrypt all sensitive PII. At the time the\npolicy was issued, DOT required all existing sensitive PII to be encrypted within 6\nmonths. However, sensitive airmen information continues to lack encryption.\nMSS passwords were also stored in clear text on the system, thus lacking technical\nsafeguards in accordance with existing DOT policy and the Privacy Act to ensure\nthe security and confidentiality of privacy records and to protect against security\nthreats. In addition, airmen\'s PII shared with another FAA system is not encrypted\nduring transmission or when stored in the receiving system. FAA also lacks a\nwritten plan describing the required security and processing procedures for the\ninterface.\n6\n    OMB Bulletin M-06-16, \xe2\x80\x9cProtection of Sensitive Agency Information,\xe2\x80\x9d June 23, 2006. OMB recommended controls\n    to compensate for the lack of physical security when information is removed from, or accessed from outside the\n    agency location.\n7\n    DOT policy requires that all DOT personnel and contractors that access DOT internal networks and systems\n    remotely shall use only an authorized and approved SRA.\n\x0c                                                                                 6\n\n\nFAA has also failed to implement strong mechanisms to authenticate users for\nremote access to MSS, as required by DOT policy and identified in FAA\xe2\x80\x99s MSS\nInformation System Security Plan (ISSP). Specifically, the ISSP calls for MSS to\ncomply with the National Institute of Standards and Technology\xe2\x80\x99s (NIST) level 4\ntechnical requirements for multifactor authentication. 8 Level 4\xe2\x80\x94NIST\xe2\x80\x99s highest\nremote network authentication level\xe2\x80\x94requires employment of at least two of the\nfollowing three authentication methods: (1) a password or personal identification\nnumber; (2) a smartcard, badge, or other authentication token; and (3) a physical\ncharacteristic such as biometric information. While FAA has implemented\npassword controls for MSS user authentication, we found no evidence that the\nrequired second authentication has been designed, tested, or implemented.\n\nFurther, FAA does not require remote users to go through the Department\'s SRA\nportal to access sensitive MSS information. The portal ensures user computers are\nappropriately configured with security updates and virus protection before access\nis granted to reduce the risk of attacks on departmental networks. Approximately\n8,500 of MSS active users can access sensitive PII remotely without using the\nSRA portal.\n\nFailure to encrypt sensitive PII and control remote access to MSS places airmen at\nunnecessary risk of identity theft, jeopardizes the integrity of the medical\ncertification process, and increases risks of attacks on departmental networks.\n\nSecurity and Privacy Awareness Training for AMEs and Their Staff\nOMB Circular A-130, the Federal Information Security Management Act\n(FISMA), and the Computer Security Act of 1987 require agencies to ensure that\nall users of Federal computer systems are appropriately trained in policies and\nprocedures regarding computer security, protection of privacy, as well as how to\nfulfill their security responsibilities before allowing access to the systems.\nFurther, individuals are required to exhibit behavior consistent with the rules of\nthe system and periodic refresher training for continued access.\n\nDespite these requirements, which are part of DOT policy, FAA exempted AME\nstaff from taking DOT\xe2\x80\x99s mandatory security awareness and privacy awareness\ntraining. FAA concluded that because the 8,500 AME users with access to MSS\nare identified as \xe2\x80\x9cdesignees,\xe2\x80\x9d they are not required to take the mandatory training\nfor employees and contractors. FAA also exempted AME staff from signing a\n\xe2\x80\x9crules of behavior\xe2\x80\x9d agreement\xe2\x80\x94an agreement that acknowledges responsibility to\ntake all appropriate precautions to safeguard PII. FAA planned to include rules of\nbehavior agreements in the Aviation Medical Examiner certification process once\nthe agreement form is incorporated in the online MSS certification system.\n8\n    NIST Special Publication 800-63 \xe2\x80\x9cElectronic Authentication Guideline\xe2\x80\x9d.\n\x0c                                                                                 7\n\n\nHowever, 2 years have elapsed since FAA made this decision, and the full online\nsystem component has not yet been developed.\n\nWithout providing the required security and privacy training and receiving signed\nrules of behavior agreements, users of FAA\xe2\x80\x99s systems may fail to understand their\nresponsibilities and adhere to practices for properly safeguarding sensitive data\nand all other Government owned information technology resources.\n\nManagement Reports and Other Controls to Identify Potential\nInappropriate Access and Data Integrity Issues\nMSS lacks audit trail reporting and accountability controls to detect incidents of\nstaff abusing access privileges. Security testing conducted by FAA in September\n2008 concluded that there are no audit trail reports to monitor and detect\ninappropriate user access. For example, while AME staff is authorized to access\nairmen PII to conduct medical examination, excessive access for personal reasons\nis not appropriate and needs to be deterred. This security testing resulted in\nrecommendations that FAA implement a process to monitor user activities. Such\ncontrols have proven to be effective in detecting inappropriate access. For\nexample, a State Department audit trail review found that personnel had\ninappropriately accessed Presidential candidates\' passport information during the\n2008 election. Like the State Department\'s passport system, MSS also contains\nsensitive information concerning well-known political leaders and other public\nfigures.\n\nFurther, data extracts of sensitive airmen PII sent to other FAA systems are not\nlogged or confirmed to have been deleted after 90 days, as required by\ndepartmental policy. FAA plans to implement the recommended audit and\naccountability controls by April 2010. However, while FAA has held internal\ndiscussions to address these weaknesses, it has not made progress on a solution\ndue to consideration of a commercial \xe2\x80\x9coff-the-shelf\xe2\x80\x9d program to address audit,\naccountability, and logging at an enterprise level.\n\nIn addition, FAA has not implemented controls to validate critical data as it is\nentered into MSS. As a result, inaccuracies, such as invalid Social Security\nnumbers, can be created when identifying airmen and interfacing data between\nvarious information systems. Inaccuracies in the MSS data could complicate the\nprocedures to be used in a matching program with benefits provider data. As FAA\nmoves closer toward performing a matching of airman data with disability\nbenefits, it will be important to ensure it has the most complete, accurate, and\nvalid information available in which to perform the computer matching.\n\nNIST provides mandatory controls for Federal information systems, which require\nchecks for completeness, accuracy, validity, and authenticity of information as\nclose to the point of origin as possible. Without MSS data validations in place and\n\x0c                                                                                                          8\n\n\nfunctioning, there is a risk that incomplete and/or inaccurate medical information\ncould enter the MSS system impeding the efforts of investigators, aviation medical\nexaminers, and other decision makers.\n\nMSS Production and Development Computers Are Not Properly\nConfigured to Reduce Risk of Unauthorized Access and Attacks\nWeb applications, databases, and other MSS system components were not\nproperly configured, or patched with vendor upgrades, to reduce the risk of\nunauthorized access or sabotage. We found critical vulnerabilities in these\ncomponents. For example, Web applications can be exploited to gain access to\nMSS, making FAA-user computers vulnerable to hacking and malicious codes.\nVulnerabilities in the database allowed us to gain unauthorized access to MSS.\nSpecifically, we were able to gain valuable configuration information\xe2\x80\x94such as the\ndatabase schema\xe2\x80\x94by exploiting database passwords, which were both short and\neasy to guess because they were the same as user IDs. 9\n\nOur prior audit work as well as FAA testing identified additional security\nconfiguration issues. First, we noted that users are allowed six unsuccessful login\nattempts to the Web before the account is locked. The MSS ISSP requires\nunsuccessful login attempts to be limited to three. Second, the application does\nnot have a session timeout after 15 minutes of inactivity.\n\nThese vulnerabilities are largely the result of weaknesses in the MSS change\nmanagement process. Specifically, the process does not provide for assessments\nof the impact that planned system changes may have on security prior to\nimplementation. For example, while FAA\xe2\x80\x99s processing checklist for system\nchanges requires a review of previous Certification and Accreditation\ndocumentation, it does not require additional security testing that would identify\nnew vulnerabilities introduced as a result of these changes. FAA is required by\nDOT policy to implement controls that provide for ongoing assessments of system\nsecurity, which include monitoring changes to ensure security features remain in\neffect and are still functioning properly after system changes. FAA has only\nrecently begun devoting the resources necessary to implement these controls.\n\nContingency Planning Weaknesses Threaten Service Continuity\nFISMA requires Federal agencies to follow NIST standards for ensuring system\ncontinuity, which include contingency plan exercises and training, designating an\nalternate processing site, and system recovery capability. FAA designated MSS as\na system which, if nonfunctional, has a high-risk impact on FAA missions.\nHowever, continuity controls for MSS did not meet NIST continuity standards for\n9\n    The results of our tests were provided to FAA for remediation. FAA took action to correct weak front end\n    application passwords during our review. However, our unauthorized access was possible because back end\n    computers were not properly configured to meet security standards.\n\x0c                                                                                                                     9\n\n\nsystems with a moderate-risk impact. For example, in lieu of a live recovery test,\na MSS contingency plan exercise consisted of a single test\xe2\x80\x94calls to key personnel\nto confirm contact phone numbers were correct. FAA could expand the scope and\nobjectives of the exercise to include validating the content of the plan and related\npolicies and procedures, as well as validating the participant\xe2\x80\x99s roles and\ninterdependencies. In addition, FAA lacks a Memorandum of Understanding with\nthe identified alternate processing site.\n\nSeveral conditions put MSS at high risk of interruption. First, MSS has been\noperating on a back-up server since April 2008 when the primary server failed.\nHowever, FAA never replaced the back-up server. In addition, the MSS database\nversion in production is no longer supported by the vendor, and only one Database\nAdministrator (DBA) is working on the MSS system. As a result, security updates\nare not being issued to secure the current MSS database, and there is no backup\npersonnel should the DBA become unavailable.\n\nWhile FAA is aware of these issues, it has focused on meeting other MSS business\nrequirements, such as implementing the MedXPress Web site\xe2\x80\x94not on remediating\nservice continuity weaknesses. Absent effective controls to ensure MSS system\ncontinuity, FAA may be unable to meet its statutory obligation to certify the health\nof pilots, air traffic controllers, and other FAA covered positions if the current\nsystem fails.\n\nFAA HAS MADE LIMITED PROGRESS IN DETECTING AIRMEN\nRECEIVING DISABILITY BENEFITS WHILE HOLDING MEDICAL\nCERTIFICATES\nTo identify airmen who receive disability pay while holding medical certificates,\nFAA has conducted educational outreach, primarily by revising its medical\ncertificate application forms and has worked with the SSA to discuss a computer\nmatching agreement. 10 However, the progress has been slow in developing and\nimplementing mechanisms to systematically detect airmen applying for or holding\nmedical certificates while receiving disability benefits.\n\nFAA has taken productive steps toward educating airmen and AMEs of their\nresponsibilities in ensuring airmen, who have disqualifying medical conditions, do\nnot hold medical certificates. In September 2008, FAA revised the paper and Web\nsite version of its Application for Medical Certification, Form 8500-8. The\napplications now include a question asking airmen to confirm whether or not they\ncurrently receive, or have ever received, medical disability benefits. These\n10\n     Computer Matching Agreements are governed by 5 U.S.C. \xc2\xa7 552a, Records maintained on individuals. No record\n     that is contained in a system of records may be disclosed to a recipient agency or non-Federal agency for use in a\n     computer matching program except pursuant to a written agreement between the source agency and the recipient\n     agency.\n\x0c                                                                                                                    10\n\n\nchanges serve to start a dialog between the AME and the airman about potentially\ndisqualifying medical conditions related to disabilities and provide the basis for\nthe AME to evaluate airman fitness while medical benefits are received. FAA also\nused its Web site and the Federal Air Surgeon\xe2\x80\x99s Medical Bulletin to educate\nAMEs on their responsibility to perform good examinations, obtain accurate and\ncomplete information from airmen, and the consequences of falsification. In\naddition, FAA revised the privacy act statement on the 8500-8 application to\ninclude a statement that the record may be used to disclose information to other\nFederal agencies for verification of the accuracy or completeness of the\ninformation.\n\nFAA had discussions on a draft matching agreement with SSA in June 2009, but a\ntarget date for completion has not been determined. FAA is holding ongoing\ninternal discussions within the Department of Transportation to complete its\nreview of the draft agreement. In addition, FAA has not made progress with other\ndisability benefits providers, and reaching computer matching agreements has\nbeen a challenge\xe2\x80\x94largely due to complications of sharing agency information.\n\nWhen we began this audit, FAA\xe2\x80\x99s Office of Aerospace Medicine did not plan to\nimplement an amnesty program to pilots who falsified their medical certificate\napplication. 11 In our view, an amnesty program would provide an opportunity to\nquickly mitigate the safety risk posed by airmen\xe2\x80\x99s undisclosed and potentially\ndisqualifying medical conditions. 12 FAA initially concluded there is no advantage\nin offering an amnesty program to encourage voluntarily reporting of falsifications\nbecause the proposed computer matching program between FAA and benefits\nproviders would discover all of the pilots who have reported conflicting medical\ninformation to agencies. Further, FAA stated that an amnesty program could have\na negative impact on its regulatory and enforcement activities. However, FAA has\nsince reconsidered the utility of amnesty programs. On April 5, 2010, FAA\nannounced a one-time, limited opportunity for airmen to reveal previously\nundisclosed depression and use of certain antidepressant medications without\nbeing subject to FAA enforcement action for failure to disclose this information on\npast medical certificate applications. 13 This is a positive step, but we recommend\nthat FAA move forward with finalizing and implementing computer matching\n11\n     Falsification of FAA Airman Medical Certificate Applications by Disability Recipients (CC-2007-063, July 17,\n     2007). The DOT Inspector General previously discussed key points for mitigating the safety risks posed by\n     airmen who falsify their Airman Medical Certificate applications to conceal disqualifying medical conditions.\n     OIG reports and testimony can be found on our Web page: www.oig.dot.gov.\n12\n     FAA previously offered a similar program in the late 1980s to identify previously undisclosed drug- or alcohol-\n     related convictions, resulting in more than 11,000 pilots making disclosures.\n13\n     To participate in this program, an airman must surrender for cancellation to the Federal Air Surgeon any current\n     medical certificates. The airman must apply for a medical certificate between April 5, 2010 and midnight on\n     September 30, 2010. On the application, the applicant must disclose his or her complete history of antidepressant\n     use, the underlying condition for which the medication was prescribed, and visits to health professionals in\n     connection with antidepressant use or the underlying condition. If an applicant falsifies any of this information on\n     an application made on or after April 5, 2010, the FAA may take enforcement action based on that application and\n     the previously falsified applications. 75 Fed. Reg. 17,201 (Apr. 5, 2010).\n\x0c                                                                                 11\n\n\nagreements to take a comprehensive approach to the undisclosed medical\nconditions.\n\nCONCLUSION\nThe Government is responsible for securing sensitive PII collected from the\npublic. However, FAA could not provide such assurance for the millions of\nairmen PII records stored in MSS. While FAA has begun to take steps to better\nsafeguard airmen records, the current control environment is still insufficient to\nprevent unauthorized or inappropriate access to airmen medical information. Gaps\nin continuity planning and coordination with agencies providing disability benefits\nfurther compromise MSS program integrity. FAA needs to assign a high priority\nto fix the weaknesses identified in this report. Until then, FAA provides little\nassurance that sensitive information is protected from misuse, airmen holding\nmedical certificates are fit to fly, and the medical certification program would not\nbe disrupted in case of system failures.\n\nRECOMMENDATIONS\nWe recommend that FAA\'s Associate Administrator for Aviation Safety, in\nconsultation with the FAA Chief Information Officer, implement the following\nactions to improve the security, reliability, and accuracy of sensitive airmen\nmedical information and tighten controls to ensure that unqualified airmen do not\nreceive a medical certification enabling them to fly.\n\nSecure Sensitive Airman Records:\n\n1. Finalize implementation of MSS application security administration\n   improvements to ensure only authorized medical staff has access to MSS, as\n   identified by the FAA\xe2\x80\x99s Federal Air Surgeon in June 26, 2009, internal\n   memorandum and report progress to the FAA Administrator.\n\n2. Implement restrictions on AME access to inactive airman records based on a\n   need to know.\n\n3. Develop documentation detailing the intended controls regarding how users\n   function within their assigned security roles, how the MSS application enforces\n   both access control and segregation of duties, and the features of the\n   application to assist security administration.\n\nDeter and Detect Unauthorized Access and Invalid Airman Data:\n\n4. Encrypt sensitive airmen PII stored in MSS as well as MSS user passwords,\n   and develop agreements as appropriate to ensure airmen PII provided to other\n   systems is also encrypted.\n\x0c                                                                                 12\n\n\n5. Implement multifactor user authentication, as required by OMB, and the\n   Department\xe2\x80\x99s Secure Remote Access capability for all MSS users with remote\n   access to sensitive PII.\n\n6. Require and validate that all AMEs and their staff participate in the DOT\n   security and privacy awareness training, as well as sign the DOT Rules of\n   Behavior.\n\n7. Implement the audit and accountability recommendations received during the\n   previous certification and accreditation process to help identify inappropriate\n   access to sensitive PII (abuse of access privileges) and ensure data\n   extract/query has been erased within 90 days from its creation date.\n\n8. Develop edit checks on the integrity of airman application data when entered\n   into MSS.\n\nConfigure MSS Systems to Reduce the Risk of Attack:\n\n9. Mitigate the vulnerabilities identified by OIG on MSS computers that could\n   allow unauthorized access and potentially jeopardize confidentiality, integrity,\n   and availability of sensitive PII.\n\n10. Configure MSS computer systems in compliance with applicable Government\n    standards including ensuring vendor security updates are applied, the Web site\n    locks the user account after three unsuccessful attempts, all passwords on the\n    MSS database are in compliance with standards, and that the application will\n    enforce a session lock after 15-minute inactivity for all users in accordance\n    with OMB and DOT guidance.\n\n11. Perform and document security testing as a continual part of the MSS\n    development process to confirm that security features remain in effect and are\n    still functioning properly when system changes are made.\n\nMitigate Contingency Planning Weaknesses that Threaten Service Continuity:\n\n12. Acquire a back-up server, finalize the Memorandum of Understanding with the\n    selected alternate processing site, and conduct a comprehensive contingency\n    test at the alternate site in accordance with Government standards.\n\n13. Upgrade the database system to a version supported by the software vendor.\n\n14. Develop back-up database administration capability in the event the primary\n    Database Administrator is unavailable.\n\x0c                                                                                13\n\n\nDetect airmen receiving disability benefits:\n\n15. Work with SSA and other disability benefits providers to establish a target\n    completion date for performing computer matching to identify airmen applying\n    for, or holding, medical certificates and receiving disability benefits.\n\nAGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL\nRESPONSE\nWe provided FAA a draft of this report on March 12, 2010, and received its\nwritten comments on May 19, 2010. FAA concurred with all recommendations\nbut recommendation 5\xe2\x80\x94implementing multifactor user authentication, as required\nby OMB, and the Department\'s Secure Remote Access capability for all users with\nremote access to sensitive PII stored in MSS.\n\nFAA disagrees that multifactor authentication is required to control the remote\naccess of AMEs and their staff to MSS, even though it is required for FAA\nemployees/contractors\' access. FAA stated it performed an assessment and\ndetermined that multifactor authentication is not required for AMEs and their staff\nbecause they can only access airmen medical data that they have entered into the\nsystem. FAA further stated OMB guidance issued in 2004 requires performance\nof such an assessment and does not expressly require multifactor authentication\nfor all Web based applications. FAA\'s position disregards OMB guidance issued\nlater in 2006 specifically to secure remote access to sensitive information. The\npurpose of multifactor authentication is to ensure user authenticity (they are who\nthey say they are), not to authorize access to the data. Furthermore, FAA did not\nrespond to the recommendation of restricting remote access to MSS through the\nDepartment\'s Secure Remote Access portal. This portal checks user computers for\nrecent security upgrades and virus protection before allowing connections to\nDOT\'s internal networks. Without going thru this security check, computers used\nby AMEs, if infected, could spread viruses and compromise DOT\'s networks.\nGiven this significant threat, we stand by our recommendation that FAA\nimplement multifactor user authentication and the Secure Remote Access\ncapability for AMEs and their staff\'s remote access to sensitive PII.\n\nAlthough FAA concurred with the remaining 14 recommendations, we have some\nconcerns regarding its planned implementation for two of these recommendations.\nSpecifically:\n\nRecommendation 2. We recommended that FAA restrict access to the records of\ninactive airmen based on a need to know. FAA concurred and agreed to make the\nchanges necessary to restrict access to inactive records by September 30, 2013.\nHowever, FAA\xe2\x80\x99s implementation schedule is protracted and will continue to put at\n\x0c                                                                                 14\n\n\nrisk sensitive airman information beyond the time necessary for this control to be\nimplemented. Therefore, FAA should strongly consider revising its September 30,\n2013 target completion date.\n\nRecommendation 15. We recommended that FAA work with SSA and other\ndisability benefits providers to establish a target completion date for a computer\nmatching program to detect airmen applying for, or holding, medical certificates\nwhile receiving disability benefits for disqualifying conditions. FAA concurred\nbut took the position that implementation of such a program relies on other\nagencies\xe2\x80\x99 cooperation, including participation from DOT and SSA OIGs. Both\nOIGs participated in comparing MSS and SSA disability data during the Operation\nSafe Pilot investigation. This investigation targeted the most egregious cases of\nfalsification for criminal prosecution. Criminal investigation would not be the\nmost effective way for FAA to address the safety concerns raised by medically\nunfit airmen having medical certificates. Moreover, DOT OIG does not believe it\nwould be a necessary party to a computer matching agreement. FAA is waiting to\ndetermine if SSA OIG will participate without DOT OIG. Since implementation\nof computer matching agreements is not entirely within its control, FAA did not\nprovide a target completion date. FAA also indicated that should SSA OIG\ndecline direct participation, FAA will determine, by November 2010, possible\nalternatives for implementing a computer matching program. While OIG believes\nthis is a reasonable response due to the complexity of computer matching\nprograms, FAA will need to proactively engage SSA and others to ensure progress\non this recommendation and should provide information to OIG on its progress.\n\nFAA\'s formal response is included in its entirety in Appendix B.\n\nACTIONS REQUIRED\nWe consider FAA\xe2\x80\x99s actions already taken, as well as those planned, to be\nresponsive except for recommendations 2, 5 and 15, subject to follow-up\nprovisions in Department of Transportation Order 8000.1C. We request that FAA\ngive us a written response to the recommendations noted above. Specifically,\nwithin 30 days, FAA should provide its response regarding the acceleration of the\ntarget completion date for recommendation 2, and its revised position on\nmultifactor authentication and secure remote access requirements in\nrecommendation 5. For recommendation 15, we request that, by December 31,\n2010, FAA provide its plan for completion of the computer matching program,\nincluding a target completion date, or its alternative and a target completion date.\n\nWe appreciate the courtesies and cooperation of Department of Transportation,\nFederal Aviation Administration\xe2\x80\x99s Office of Aviation Safety; CAMI Office of\nAerospace Medicine; Office of Quality, Integration, and Executive Services; and\nOffice of Information Systems Security representatives during this audit. If you\n\x0c                                                                           15\n\n\nhave any questions concerning this report, please call me at (202) 366-1407 or\nNathan Custer, Program Director, at (202) 366-5540.\n\n\n\ncc:   Chief Information Officer, DOT\n      Assistant Administrator for Financial Services/CFO, FAA\n      Assistant Administrator for Information Services/CIO, FAA\n      Federal Air Surgeon, Office of Aviation Medicine, FAA\n      Director, Civil Aerospace Medical Institute, FAA\n      Martin Gertel, M-1\n      Anthony Williams, ABU-100\n\x0c                                                                                 16\n\n\n\nEXHIBIT A. SCOPE AND METHODOLOGY\nWe conducted this performance audit in accordance with Generally Accepted\nGovernment Auditing Standards prescribed by the Comptroller General of the\nUnited States. As required by those standards, we obtained evidence that we\nbelieve provides a reasonable basis for our findings and conclusions based on\nour audit objectives. We used the following scope and methodology in\nconducting this review.\n\nWe conducted this audit between March 2008 and January 2010. The review\nincluded site visits to the FAA\xe2\x80\x99s Civil Aerospace Medical Institute (CAMI)\nlocated in Oklahoma City, Oklahoma.\n\nTo determine if airmen\xe2\x80\x99s personally identifiable information (PII) is properly\nsecured from unauthorized use or access, we interviewed officials from FAA\nHeadquarters Office of Aviation Safety; Office of Aerospace Medicine; CAMI;\nOffice of Quality, Integration, and Executive Services; Deputy Director of\nInformation Systems Security; and representatives from FAA\'s contractor. In\naddition, we interviewed Aviation Medical Examiners\' private medical support\nstaff at various locations, based upon users we suspect were no longer employed\nbased on information found in a MSS user table. We obtained, reviewed and\nanalyzed documentation related to the confidentiality, integrity, and availability\nof the MSS system.\n\nIn addition, we performed a vulnerability assessment of the MSS network\ninfrastructure, servers, Web applications, databases, and data interfaces in\naccordance with DOT departmental Guide to Network Security as well as\napplicable baseline controls. We performed the assessment using automated\nsoftware tools as well as manual testing techniques. The results of the scans\nwere reviewed to determine if security settings meet policy and baseline\nrequirements for security testing, vendor updates (patches) and FAA\xe2\x80\x99s\nconfiguration of these systems.\n\nTo assess FAA\xe2\x80\x99s progress in establishing a program to identify airmen holding\ncurrent medical certificates while receiving disability pay, we performed\ninquiries with the FAA Office of Budget\xe2\x80\x94Budget Policy Division.\n\n\n\n\nExhibit A. Scope and Methodology\n\x0c                                                                     17\n\n\n\nEXHIBIT B. MAJOR CONTRIBUTORS TO THIS REPORT\n\n\n  Name                                  Title\n\n  Nathan Custer                         Program Director\n\n  Ping Sun                              Program Director, IT Audit\n                                        Computer Laboratory\n\n  Karen Sloan                           Communication Officer\n\n  Joann Adam                            Project Manager\n\n  Maria Dowds                           Senior Auditor\n\n  Tim Roberts                           Senior Auditor\n\n  Vasily Gerasimov                      Information Technology\n                                        Specialist\n\n  Seth Kaufman                          Associate Counsel\n\n\n\n\nExhibit B. Major Contributors to This Report\n\x0cAPPENDIX A. MEMORANDUM FROM THE FEDERAL AIR\nSURGEON: JUNE 26, 2009\n                                                                                        18\n\n\n\n\n                     Federal Aviation\n                     Administration\n\nMemorandum\nDate:           June 26, 2009\nTo:             Rebecca C. Leng, DOT/AIGA, JA-20\nFrom:           Frederick E. Tilton, MD, Federal Air Surgeon, AAM-1\nSubject:        Aerospace Medical Certification Subsystem (AMCS) Security Issues\n\n\nThis memo is in response to an E-Mail dated June 18, 2009 that you sent to Margaret\nGilligan, AVS-1, and David M. Bowen, AIO-1, and a subsequent telecon between\nindividuals from the FAA and members of your staff that occurred on June 19, 2009. In\nthe memo you expressed concern that certain individuals could continue to access the\nAMCS system when they no longer had a legal authorization to do so. We share your\nconcerns for the security of our systems, and we are taking these actions to correct the\ndeficiency:\n\nNEAR TERM \xe2\x80\x93 Not later than September 30, 2009\n\nAs of June 24, 2009, the following action memo pops into view every\ntime an individual logs on to the AMCS website or the FAA.GOV\nAMCS support webpage.\n\n      "To ensure continued security and integrity of your aviator\'s medical certification\n      information on the FAA AMCS web based system, it is critical that only current\n      authorized users from your office have valid AMCS accounts. It is your\n      responsibility to notify the AMCS Online Support help desk at (405) 954-3238 if staff\n      changes have occurred for individuals with AMCS privileges and their employment\n      status no longer requires AMCS access."\n\nNot later than July 31, 2009, an electronic query will be transmitted across\nAMCS that will be used to identify any aviation medical examiner (AME) or\nstaff member who has not accessed the AMCS system within the previous 90\ndays. The information will be reviewed and analyzed by aerospace medicine\n(AAM) management to ascertain those AMCS accounts that should be\n\nAppendix A. Memorandum from the Federal Air Surgeon: June 26, 2009\n\x0cAPPENDIX A. MEMORANDUM FROM THE FEDERAL AIR\nSURGEON: JUNE 26, 2009\n                                                                                  19\ndisabled. AAM management will then notify the IT help desk representative to\ndisable the identified accounts. This process will be repeated quarterly.\n\nNot later than August 31, 2009, a letter will be sent to each AME that requires\nhim or her to promptly report any change in staff member status to the regional\nflight surgeon, the AMCS online support help desk, the manager of the\naerospace medical certification division AAM-300, and the manager of the\naerospace medical education division AAM-400. This letter will include the\ncurrently approved users for the office and emphasize that FAA security\nrequires that AMCS usernames and passwords must not be shared with\nanyone. The letter will include a warning that the FAA will take an adverse\naction against an AME\xe2\x80\x99s designation if he or she should fail to comply with\nthis requirement.\n\nMID TERM \xe2\x80\x93 Not later than December 31, 2009\n\nTrain the AAM regional program analysts who perform surveillance visits to\nAME\xe2\x80\x99s offices to include an assessment of AMCS use by the AME and his or\nher staff.\n\nDevelop a process that automatically sends an email message to each AME on\na regular basis requiring him or her to verify that each staff member who is\nusing AMCS is authorized to do so. Non-response from the AME within 30\ndays will result in account disablement for that AME and associated staff\nmembers.\n\nProvide the results of the electronic query noted above to the AAM regional\nflight surgeons for enhanced oversight of AME activity. In addition, the\nregional flight surgeons will conduct random checks to help assure\ncompliance.\n\nLONG TERM \xe2\x80\x93 Not later than September 30, 2010\n\nRevise the AME Order to add "AME failure to immediately notify the FAA\nabout changes in the status of AME staff who are AMCS users" to the list of\nreasons that could result in termination of an AME\'s designation.\n\nAs part of the tri-annual AME re-designation process, AMEs will be required\nto validate the current status of their staff members who have access to AMCS.\n\nWhen we issue AMCS usernames and passwords to AMEs and their staffs we\nwill require them to sign a statement indicating that they agree to stop\naccessing AMCS whenever they no longer have the legal justification to use\nthis system.\n\n\nAppendix A. Memorandum from the Federal Air Surgeon: June 26, 2009\n\x0cAPPENDIX A. MEMORANDUM FROM THE FEDERAL AIR\nSURGEON: JUNE 26, 2009\n                                                                                       20\nDevelop a software modification to the AMCS logon procedure that will automatically\nrequire each AME to validate the authorized users in his or her office each quarter.\n\nIn closing, as you know, we are legally required to monitor and assess the security\ncontrols of our systems and to take appropriate actions to enhance and improve them as\nnecessary.\n\n\n\n\nAppendix A. Memorandum from the Federal Air Surgeon: June 26, 2009\n\x0cAPPENDIX B. AGENCY COMMENTS\n                                                                                         21\n\n\n\n\n                    Federal Aviation\n                    Administration\n\nMemorandum\nDate:            MAY 19 2010\nTo:              Rebecca C. Leng, Assistant Inspector General for Financial and\n                 Information Technology Audits\nFrom:            Ramesh K. Punwani, Assistant Administrator for Financial Services/CFO\nPrepared by:     Anthony Williams, x79000\nSubject:         OIG Draft Report: Information Security and Privacy Controls over the\n                 Airmen Medical Support Systems Federal Aviation Administration\n\n\n\nThe Federal Aviation Administration (FAA) is committed to ensuring the security of our\ninformation systems and the privacy of personal information in our systems. Over the past\nyear, the FAA has taken steps to tighten access requirements and controls for the Airmen\nMedical Support System (MSS), increase the use of encryption, and correct security\nvulnerabilities identified in the report. As part of a complete database upgrade in October\n2009, the FAA also deployed backup servers, and added processing capability at an\nalternate location. The FAA will complete additional work through next year that will\nfurther strengthen system security and protection of personally identifiable information\n(PII).\n\nThe FAA plans to establish a Federal database matching program to identify pilots who\nhave falsified their FAA Application for Airman Medical Certificate (FAA Form 8500-8).\nTo improve the safety of the National Airspace System, the FAA plans to identify pilots\nwho receive disability benefits from the Social Security Administration (SSA), Veterans\nAdministration (VA) or Department of Labor (DOL). The FAA recognizes that pilots may\nmeet disability standards at SSA, VA or DOL yet still satisfy FAA medical standards, or be\neligible for a special issuance medical certificate. As a result, the FAA will need to\ncarefully review any match between data bases and review the medical information in those\ndata bases to ensure that pilots have fully and accurately reported their medical histories to\nthe FAA. The FAA will initiate appropriate enforcement actions in cases where pilots have\nfalsified their Application for an Airman Medical Certificate.\n\n\nAttachment\n\nAppendix B. Agency Comments\n\x0cAPPENDIX B. AGENCY COMMENTS\n                                                                                          22\n\nOIG Recommendations and FAA Responses\n\nOIG Recommendation 1. Finalize implementation of MSS application security\nadministration improvements to ensure only authorized medical staff has access to MSS,\nas identified by the FAA\xe2\x80\x99s Federal Air Surgeon in June 26, 2009, internal memorandum\nand report progress to the FAA Administrator.\n\nFAA Response: Concur. The FAA implemented security measures that have already\nimproved MSS application security administration. Work on additional measures is\nunderway with completion planned for the end of Fiscal Year (FY) 2010. The following\nis a listing of actions completed and underway.\n\nCOMPLETED ACTIONS:\n\nUser Warning Message \xe2\x80\x93 The following warning message, which is displayed when\nany user logs in to the Airmen Medical Certification System (AMCS), was implemented\nin June 2009:\n\n     \xe2\x80\x9cTo ensure continued security and integrity of your aviator\xe2\x80\x99s medical\n     certification information on the FAA AMCS web based system, it is critical\n     that only current authorized users from your office have valid AMCS\n     accounts. It is your responsibility to notify the AMCS Online Support help\n     desk at (405)954-3238 if staff changes have occurred for individuals with\n     AMCS privileges and their employment status no longer requires AMCS\n     access.\xe2\x80\x9d\n\nUser Account Inactivity Report \xe2\x80\x93 The FAA developed an automated query to help\nidentify users that may no longer require access to the system. The query generates\nquarterly reports of MSS accounts which have not accessed the system within the last 90\ndays. This report can be run at any time and for any duration (i.e. 30, 60, 90 days, etc.) of\ninactivity.\n\nUser Requirement Notification \xe2\x80\x93 A letter notifying each AME of their responsibility\nto report staff changes was mailed to each AME on September 21, 2009.\n\nTrain FAA Designee Surveillance Staff \xe2\x80\x93 The FAA developed and conducted training\nfor FAA employees who are assigned designee oversight and quality assurance\nresponsibilities. This AME surveillance training was held in October 2009.\n\nAME Verification \xe2\x80\x93 In December 2009 the FAA implemented an automated process\nfor sending E-Mail messages to AMEs on a regular basis requiring verification for each\nof their staff members authorized to access AMCS.\n\n\n\n\nAppendix B. Agency Comments\n\x0cAPPENDIX B. AGENCY COMMENTS\n                                                                                       23\nElectronic Query Results Reporting \xe2\x80\x93 FAA Regional Flight Surgeons received their\nfirst reports from the verification queries in December 2009. This reporting will improve\ndesignee oversight and will continue until the final MSS software modification is\nfunctional.\n\nTri-Annual AME Staff Access Revalidation \xe2\x80\x93 Beginning in October 2009, AMEs are\nrequired to review all members of their staff who have MSS access and confirm that they\nare still employed by the AME and still require access to MSS.\n\nSigned Verification of Need for Access to MSS \xe2\x80\x93 FAA requires AMEs and their staffs\nto complete and sign an account request form to obtain their user names and passwords.\nThe form they sign includes a statement that they agree to notify the FAA and stop\naccessing MSS when they no longer have a legal justification to do so. Specifically the\nstatement reads:\n\n     "I agree to promptly notify the Aeromedical Certification Division/AAM-300\n     of any changes in the status of the requestor\'s employment or in the event\n     that the requestor (AME, Staff, or FAA Employee/Contractor) no longer has\n     the need-to-know requirements concerning the above computer system."\n\nACTIONS UNDERWAY \xe2\x80\x93 The following actions are underway and are intended for\ncompletion by the end of FY 2010:\n\nRevise FAA AME Order \xe2\x80\x93 A revision to FAA Order 8520.2, incorporates a new\nprovision as a cause to terminate an AME designation. Under the new provision, an\nAME may be terminated for failure to notify the FAA of staff changes for those with\naccess to AMCS. The revisions incorporated in this change to the order focus on FAA\ndesignee management standards. The order is ready for internal FAA coordination and\nthe projected publication date is August 2010.\n\nImproved User Authentication \xe2\x80\x93 The FAA is developing MSS software modifications\nto require AMEs to validate authorized users quarterly. Portions of the software\nmodifications have been completed and deployed, including the web page, which AMEs\nwill use to validate staff members. This web page was available in December 2009 for\nAMEs to begin validating staff with continuing need to access the MSS. This same web\npage will be used by AMEs when they are required, as part of the AMCS logon process,\nto validate their staff personnel each quarter. Full implementation of the AMCS logon\nvalidation procedure is slated to be completed and deployed by August 31, 2010.\n\nOIG Recommendation 2. Implement restrictions on AME access to inactive airman\nmedical records based on a need to know.\n\nFAA Response: Concur.\n\nIn addition to all the restrictions currently in the MSS system, the FAA will develop the\nnecessary MSS software changes for designating airmen medical records as inactive and\n\nAppendix B. Agency Comments\n\x0cAPPENDIX B. AGENCY COMMENTS\n                                                                                               24\nrestricting access to inactive records for aerospace medicine research purposes only.\nWhile the FAA concurs with the recommendation, a number of interim measures must be\naddressed to achieve implementation. First, the FAA needs to begin with a business\nprocess to define an "inactive airman" from the perspective of medical certification.\nWhile deceased airmen are discussed in the report, the FAA is not typically informed\nwhen an airmen dies through non-aviation related events. AVS could base the definition\non the valid period for a third class medical certificate with a grace period added to\nminimize inefficient shuffling of airmen records between an active and inactive status.\nDetermining the length of the grace period could be supported by queries of historical\nexamination records. After the FAA determines a standard for inactivity, it will need to\ndevelop business processes and application modifications to restrict AME and employee\naccess to records of inactive airmen. The FAA will also need to concurrently develop\nbusiness processes that return records to an active status, if appropriate, without an undue\nburden on the airmen or designees. The target date for completing the actions relating to\nthis recommendation is no later than September 30, 2013. As discussed above, this will\nrequire interim actions, which will be completed as follows:\n    \xe2\x80\xa2 Complete analysis of MSS airmen data \xe2\x80\x93 September 30, 2010\n    \xe2\x80\xa2 Complete development of active/inactive airmen business rules \xe2\x80\x93 December 31,\n         2010\n    \xe2\x80\xa2 Complete analysis of required MSS modifications \xe2\x80\x93 May 31, 2011\n    \xe2\x80\xa2 Complete plan for MSS modifications, cost estimates and schedule \xe2\x80\x93 September\n         30, 2011\n    \xe2\x80\xa2 Task MSS modifications to contractor \xe2\x80\x93 December 31, 2011\n    \xe2\x80\xa2 Completion of all MSS modifications \xe2\x80\x93 September 30, 2013\n\nOIG Recommendation 3. Develop documentation detailing the intended controls\nregarding how users function within their assigned security roles, how the MSS\napplication enforces both access control and segregation of duties, and the features of the\napplication to assist security administration.\n\nFAA Response: Concur.\n\nDuring the fiscal year (FY) 2009 annual security assessment of the MSS applications,\nAVS developed documentation that details user functions within their assigned security\nroles. The activities necessary to complete the remaining aspects of this recommendation\nmust be completed in two sequential steps. Actions to complete documentation\ndescribing how the MSS applications enforce access control and separation of duties is\nincluded in the departmental FISMA reporting system, with a due date of September 30,\n2010. Once the access control and separation of duties documentation is complete 1, the\nFAA can begin developing documentation for security administrators that describes the\nfeatures of the application, which is being tracked with a due date of September 30, 2011.\n\n\n1\n    The FAA assumes \xe2\x80\x9csegregation of duties\xe2\x80\x9d is synonymous with \xe2\x80\x9cseparation of duties\xe2\x80\x9d as defined in\n    control AC-5, Separation of Duties, in NIST Special Publication 800-53.\n\n\nAppendix B. Agency Comments\n\x0cAPPENDIX B. AGENCY COMMENTS\n                                                                                      25\nOIG Recommendation 4. Encrypt sensitive airmen PII stored in MSS as well as MSS\nuser passwords, and develop agreements as appropriate to ensure airmen PII provided to\nother systems is encrypted too.\n\nFAA Response: Concur.\n\nThe FAA began encrypting the tables containing user passwords and airmen PII as part of\nthe database upgrade, which was completed on October 13, 2009. Encryption to protect\nthe transfer of records to the Aviation Registry will be implemented in accordance with\nthe AVS Privacy Implementation Plan. As part of the 2010 security assessment of the\nAviation Registry and MSS systems, the FAA will create Plan of Action and Milestones\n(POA&Ms) to reflect the OIG recommendation to encrypt the data transfer between MSS\nand the Aviation Registry. An MOU for data transfer between MSS and the Aviation\nRegistry is not necessary because these two systems are under the management control of\nthe Associate Administrator for Aviation Safety and FAA Order 1370.82A, Information\nSystems Security Program, specifically states that an agreement is not required.\n\nThe security controls to protect airmen PII provided for computer record matching with\nthe National Driver Registry (NDR) are in place, including encryption. AVS is\ndeveloping a memorandum of understanding with the Office of Security and Hazardous\nMaterials (ASH) to formalize the information exchange and security requirements. The\ntarget date for completing the ASH MOU and data encryption between MSS and the\nAviation Registry is September 30, 2011.\n\nOIG Recommendation 5. Implement multifactor user authentication, as required by\nOMB and the Department\'s Secure Remote Access capability for all MSS users with\nremote access to sensitive PII.\n\nFAA Response: Non-Concur.\n\nThe MSS consists of multiple software components. The FAA updated the Information\nSystem Security Plan (ISSP) and E-Authentication Analysis in 2009 to provide a clear\nrationale for the differing access levels for the different MSS component applications.\nRemote FAA users who can fully access all MSS data and applications must use\nmultifactor authentication. AMEs, their staffs and airmen have significantly restricted\naccess to MSS data and applications. AMEs and their staffs may only access one web\nbased application, AMCS, and can only access airmen medical data that they have\nentered into the system. Airmen only have access to MedXpress which allows them to\nsubmit their personal identifying and medical information for their next examination.\nBecause of the limited system access, the FAA determined that AMEs, AME staff, and\nairmen only require user ID and password authentication (NIST SP800-63 Level 2).\n\nOMB does not require multifactor authentication for all web based applications. OMB\nMemorandum 04-04 directed agencies to perform an assessment of the authentication\nrequirements for applications, such as AMCS and MedXpress. The results of an\nassessment following OMB guidance can range from as little as user ID alone for a Level\n\nAppendix B. Agency Comments\n\x0cAPPENDIX B. AGENCY COMMENTS\n                                                                                         26\n1 application up to multifactor authentication (including hard token) for Level 4\napplications. FAA documented the AMCS and MedXpress assessments in both 2008 and\n2009 E-Authentication Analyses. No further action is planned on this recommendation.\n\nOIG Recommendation 6. Require and validate that all AMEs and their staff participate\nin the DOT security and privacy awareness training, as well as sign the DOT Rules of\nBehavior.\n\nFAA Response: Concur.\n\nFAA agrees to provide AMEs and their staff with appropriate security and privacy\nawareness training. Since AMEs and their staff have access to a single FAA application,\nand access within that application is already very limited, their training will be more\nfocused and specialized than the DOT employee and contractor training which is\nintended for users with network access to multiple DOT applications. In developing and\ndelivering appropriate training, the FAA must carefully balance the benefits of security\nawareness training with the burdens it places on AMEs, who assist the FAA in\nperforming a critical aviation safety function, but are not compensated by the\ngovernment.\n\nAdditionally, as health care providers, the Health Insurance Portability and\nAccountability Act (HIPAA) of 1996 and the U.S. Department of Health and Human\nServices (HHS) implementing regulations in 45 CFR Parts 160 and 164 apply to AMEs\nand their staffs. 45 CFR Part 164.308(a)(5)(i) addresses Security Awareness and\nTraining and requires the implementation of a security awareness and training program.\nHHS enforces the HIPAA Privacy Rule, which protects the privacy of individually\nidentifiable health information and the HIPAA Security Rule, which sets national\nstandards for the security of electronic protected health information.\n\nRecognizing the benefits of security awareness training, the FAA will develop and\nincorporate appropriate security and privacy awareness training into both basic and\nrecurrent AME training. The FAA will also reinforce security awareness for AMEs and\ntheir staff through recurring articles in the Federal Air Surgeon\xe2\x80\x99s Medical Bulletin that is\npublished quarterly and distributed to all AMEs. Although the current AMCS Account\nRequest form includes many items associated with \xe2\x80\x9cRules of Behavior\xe2\x80\x9d, the FAA will\nreview its Rules of System Use (RoSU) and update the form as required. In addition, the\nFAA will add security messages to the AMCS "splash" screen, requiring the user to\nacknowledge the message before accessing the application. The target date for\ncompleting all actions associated with this recommendation is September 30, 2011.\nInterim milestones include:\n\n   \xe2\x80\xa2   Complete review of RoSU \xe2\x80\x93 September 30, 2010\n   \xe2\x80\xa2   Update RoSU \xe2\x80\x93 December 31, 2010\n   \xe2\x80\xa2   New AMCS security/privacy messages deployed to the AMCS \xe2\x80\x9csplash screen\xe2\x80\x9d -\n       March 31, 2011\n\n\nAppendix B. Agency Comments\n\x0cAPPENDIX B. AGENCY COMMENTS\n                                                                                         27\n   \xe2\x80\xa2   Deploy new initial and recurrent AME security and privacy training \xe2\x80\x93 September\n       30, 2011\n\nOIG Recommendation 7. Implement the audit and accountability recommendations\nreceived during the previous certification and accreditation process to help identify\ninappropriate access to sensitive PII (abuse of access privileges) and ensure data\nextract/query has been erased within 90 days from its creation date.\n\nFAA Response: Concur.\n\nThe remediation item to implement an audit process and capability into MSS is entered in\nthe departmental FISMA reporting system with a due date of September 30, 2011.\n\nOIG Recommendation 8. Develop edit checks on the integrity of airman application\ndata when entered into MSS.\n\nFAA Response: Concur.\nThe functional requirements document for MSS includes edit check capability to ensure\nthe integrity of airman application data. OIG testing of MSS indicated that required edit\nchecking of airmen data was not taking place within the application. The FAA will test\nthe edit checking capability within MSS and ensure that it is working. Milestones for this\nOIG recommendation are as follows:\n\n   \xe2\x80\xa2   Complete validation testing of the MSS application suite \xe2\x80\x93 September 30, 2010.\n   \xe2\x80\xa2   Implement corrective measures within MSS where the validation process\n       identifies inconsistencies with the functional requirements document \xe2\x80\x93 September\n       30, 2011.\n\nOIG Recommendation 9. Mitigate the vulnerabilities identified by OIG on MSS\ncomputers that could allow unauthorized access and potentially jeopardize\nconfidentiality, integrity, and availability of sensitive PII.\n\nFAA Response: Concur.\n\nFAA reviewed and corrected findings provided to the Program Manager for the MSS\napplications. Following the correction of vulnerabilities identified in the scan of\nMedXPress, the Program Manager reviewed the other MSS component applications\nbased on these findings. The hosting infrastructure for the MSS application has been\ncompletely replaced. The servers are regularly monitored for missing security updates\nand other vulnerabilities and appropriate action has been taken in each instance. This\naction was completed October 13, 2009.\n\nOIG Recommendation 10. Configure MSS computer systems in compliance with\napplicable Government standards including ensuring vendor security updates are applied,\nthe Web site locks the user account after 3 unsuccessful attempts, all passwords on the\nMSS database are in compliance with standards, and that the application will enforce a\n\nAppendix B. Agency Comments\n\x0cAPPENDIX B. AGENCY COMMENTS\n                                                                                       28\nsession lock after 15-minute inactivity for all users in accordance with OMB and DOT\nguidance.\n\nFAA Response: Concur.\n\nThe FAA will ensure that MSS computer systems are configured in compliance with\napplicable standards by September 30, 2011. AVS developed several Baseline Security\nConfiguration Standards (BSCS) for commercial products, including common databases.\nAn AVS BSCS was used as a foundation for the security configuration during the\ndatabase upgrade. Recent DOT policy changes require configuration and assessment\nusing a NIST or DOT approved checklist. AVS will review available database checklists\nand implement an appropriate checklist for compatibility with enterprise infrastructure\nand business requirements. To ensure the MSS servers maintain their approved security\nconfiguration, AVS will continue its vulnerability scanning program which regularly\nscans the server infrastructure that hosts the MSS applications and addresses\nvulnerabilities.\n\nThe MSS web-enabled applications were modified on August 14, 2008 to lock user\naccounts after three unsuccessful attempts. This modification also requires user\npasswords to comply with FAA Order 1370.92, Password and PIN Management.\n\nAs noted in our response to OIG Recommendation 6 above, AMEs and their staffs are\nrequired to comply with HIPAA and the HHS implementing rules. The FAA will specify\na specific time out value for AME desktops in their AMCS access agreements. While\nNIST recommends a 15 minute value, the FAA will discuss this specific value with the\nAME community and establish a value that complies with OMB, DOT and HHS\nrequirements for information systems security. The target date for establishment and\nimplementation of all time out standards is September 30, 2011.\n\nOIG Recommendation 11. Perform and document security testing as a continual part of\nthe MSS development process to confirm that security features remain in effect and are\nstill functioning properly when system changes are made.\n\nFAA Response: Concur.\n\nThe remediation item to document security testing as a continual part of the MSS\ndevelopment process is entered in the departmental FISMA reporting system with a due\ndate of September 30, 2010.\n\nOIG Recommendation 12. Acquire a back-up server, finalize the Memorandum of\nUnderstanding with the selected alternate processing site, and conduct a comprehensive\ncontingency test at the alternate site in accordance with Government standards.\n\nFAA Response: Concur.\n\n\n\n\nAppendix B. Agency Comments\n\x0cAPPENDIX B. AGENCY COMMENTS\n                                                                                        29\nThese actions were completed in October 2009. FAA brought the backup server online\nas part of the database upgrade in October 2009. This provides redundant servers at the\nprimary processing site. The Application Hosting Proposal was finalized on August 19,\n2009. This MOU documents the facility requirements for a data center in the event of a\ndisaster at the primary processing site. The MSS application was recovered at the back\nup site on September 14, 2009 during a comprehensive contingency test.\n\nOIG Recommendation 13. Upgrade the MSS database system to a version supported by\nthe software vendor.\n\nFAA Response: Concur.\n\nFAA completed the MSS database upgrade on October 13, 2009.\n\nOIG Recommendation 14. Develop back-up database administration capability in the\nevent the primary Database Administrator is unavailable.\n\nFAA Response: Concur.\n\nFAA completed this recommendation in April 2009 through the addition of support staff.\n\nOIG Recommendation 15. Work with SSA and other disability benefits providers to\nestablish a target completion date for performing computer matching to identify airmen\napplying for, or holding, medical certificates and receiving disability benefits.\n\nFAA Response: Concur.\n\nThe FAA has made significant progress in response to the House Aviation\nSubcommittee\xe2\x80\x99s request that the FAA establish a matching program that would enable\nFAA to detect airmen receiving disability benefits, compare medical records to ensure\nmedical information was appropriately disclosed, and determine whether enforcement\naction is warranted.\n\nFAA has completed the necessary legal steps that would allow the agency to share\nmedical information with other Federal agencies. Through publication in the Federal\nRegister, the FAA notified the public that it had revised the system of records notice that\napplies to airman medical records to include one that expressly authorizes disclosure of\nairman medical information to other Federal agencies for verification of the accuracy and\ncompleteness of the applications. In addition, the Application for Airman Medical\nCertificate, FAA Form 8500-8, was revised to provide similar information to each airman\nmedical certificate applicant.\n\nThe FAA also completed measures to obtain disability-related information directly from\napplicants for an airman medical certificate. The FAA revised its paper and web-based\nversions of its Application for Medical Certificate, FAA Form 8500-8, to require airmen\nto address whether they currently receive, or have ever received, medical disability\n\nAppendix B. Agency Comments\n\x0cAPPENDIX B. AGENCY COMMENTS\n                                                                                       30\nbenefits. In addition, the FAA is providing written and oral instruction to its cadre of\napproximately 4,000 AMEs by way of the Federal Air Surgeon\xe2\x80\x99s Medical Bulletin and at\nAME seminars describing their responsibility to seek disability-related information from\nairmen.\n\nWhile FAA has put into place these necessary building blocks that are within its\nauthority, it has not yet succeeded in gaining the cooperation of the other entities\nnecessary to make the process work. FAA\xe2\x80\x99s limited data match testing during\n\xe2\x80\x9cOperation Safe Pilot,\xe2\x80\x9d was made possible through the participation of the DOT-OIG and\nthe Social Security Administration OIG (SSA-OIG). FAA\xe2\x80\x99s efforts to build upon\nOperation Safe Pilot relies upon the continued cooperation of both OIGs, and to date,\nDOT-OIG has declined to participate. Recently, the DOT-OIG informed the FAA that it\nwould not participate in a computer matching program as proposed by the SSA-OIG.\nThe FAA notified the SSA-OIG of the DOT-OIG\xe2\x80\x99s decision not to participate and\nrequested the SSA-OIG to consider the feasibility of proceeding without DOT-OIG\ninvolvement. The FAA is awaiting SSA-OIG\xe2\x80\x99s response to this request. If SSA-OIG\ndeclines direct participation with FAA, then FAA will determine by November 2010\nwhether there may be alternative avenues to pursue the data match program.\n\nBased upon the FAA\xe2\x80\x99s limited experience and involvement with DOT OIG and SSA OIG\npilot matching program \xe2\x80\x9cOperation Safe Pilot\xe2\x80\x9d, it is clear that FAA will require\nadditional personnel and funding to carry out nation-wide, multi-departmental matching\nprogram. Operation Safe Pilot only focused on the Northern and Eastern Districts of\nCalifornia, and it generated a significant work load for the FAA Western-Pacific\nAerospace Medicine Division. The FAA needs physicians, program analysts, attorneys\nand paralegal specialists to implement and carry out a national program to investigate\nalleged instances of falsification, prepare appropriate documentation in support thereof,\nand carry out enforcement actions consistent with the Federal Aviation Regulations.\n\nThe FAA will seek additional resources in the President\xe2\x80\x99s FY 2012 and/or FY 2013\nbudget request to implement and carry out this program. If the other Federal entities are\nwilling to participate, the FAA will be prepared to begin the program in FY 2012.\n\n\n\n\nAppendix B. Agency Comments\n\x0c'